Yes, I've just deployed my users with the users group but I have a question. How can I enable Sharing and Security function for my users? With the users group, user can't use sharing and security in context menu and printer sharing as well. -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of MacLeonard Sent: Tuesday, February 13, 2007 10:15 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Help Me! Prevent Users to install software on their computers. Hi DinhDuy, and all > - I deploy Power Users rights to all users in my Domain. > > - After deploying, everyone can setup software on their computer, so I want > to prevent this action. How can I do that? Here's the best solution to this problem (flame sheilds up): 1. Prevent your users from running as power users. Giving a user power user rights on a desktop is akin to giving them administrator privileges. Here's how this kind of thing typically plays out: 1. You give your users Power User rights. 2. You want to lock down a specific aspect (such as installing software) 3. You invest large amounts of time/money obtaining a "solution" and making it "work" 4. Your users find some (not very difficult) way around this "solution" 5. Repeat steps 3 and 4 ad infinitum. Take the time to work out how enable your users to work as members of the users group, and you'll save a significant amount of time in the long run. You *could* always enable software restriction policies make the default policy "disallowed" and then enable access to *only* those apps you need to run, but your users will likely work out that they can get around this with admin rights in short order - and the process is quite tedious and very very difficult. Option 1 is undoubtedly the way to go on this. -- MacLeonard Starkey CISSP, MCSA Email: winsec@xxxxxxxxx *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************